The CyberWire Daily Podcast 8.21.17
Ep 417 | 8.21.17

GCHQ and MalwareTech's arrest. Chinese oilfield sustains malware infestation. US Cyber Command now a UCC. Ukraine fears another cyber campaign. Turla returns. GPS spoofing. Extremism online. ICO hack.


Dave Bittner: [00:00:01:03] If you go to, you can find out how to become a contributor, and at the ten dollar per month level, you gain access to the ad free version of our show. It's the same CyberWire, just without the ads. So check it out. Thanks.

Dave Bittner: [00:00:21:02] GCHQ may have known about the FBI's intentions to arrest Marcus Hutchins, even before Hutchins departed England for Black Hat. A Chinese oil production field is thought to have sustained some sort of cyber incident similar to those involving NotPetya. US Cyber Command receives elevated status. It's now the tenth Unified Combatant Command. Ukrainian authorities warn that country's financial sector to expect a new wave of cyberattacks. Turla is back, inviting you to the G20 meetings. GPS spoofing fears rise. Dealing with extremism online. And another initial coin offering is hacked.

Dave Bittner: [00:01:01:05] And now something about our sponsors at E8 Security. We've all heard a great deal about Artificial Intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas, but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of base lining. For a guide to the reality and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at technologies that have both future promise and present payoff in terms of security. When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Find out more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:02:07:19] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, August 21st, 2017.

Dave Bittner: [00:02:18:04] The Sunday Times reported yesterday that Britain's GCHQ apparently knew the US FBI intended to nab Marcus Hutchins, when the white hat showed up in Las Vegas, for Black Hat. Apparently no one wanted an extradition fight; there is, of course, no such fight since Hutchins was taken into custody in the United States. The report on GCHQ foreknowledge is unclear with respect to motive; most discussion doesn't go beyond thinking that British security officials just wanted to do a solid for a close but grumpy partner.

Dave Bittner: [00:02:49:06] Hutchins, arrested on August 2nd and now out on bail, is working in the US while he awaits his October trial. He's accused of having written, advertised, and sold the Kronos banking Trojan. Hutchins was hailed as a hero for his role in flipping (more-or-less inadvertently) the kill switch on WannaCry when that bit of pseudo ransomware was biting the UK's National Health Service hard. His arrest remains controversial in security circles, with many white hat researchers feeling themselves newly vulnerable to similar prosecution. Some of the more overheated discussions have advised vulnerability researchers to boycott all conferences held in the US. Needless to say, that's unlikely in the extreme to happen.

Dave Bittner: [00:03:31:14] Sinopec's Shengli oilfield in China, one of that country's larger production fields, announced this morning that it had disconnected many of its offices from the Internet. Early reports indicate a cyberattack, but the story is still new and developing. A short account distributed by Reuters and sourced to Sinopec's website is the principal report so far. The incident is vaguely characterized by Reuters as "ransomware that hobbled big business across the globe." Presumably that would be either the NotPetya or WannaCry pseudo ransomware code, but as we say, the story is still developing.

Dave Bittner: [00:04:07:24] US Cyber Command will now become a unified combatant command. On Friday President Trump made the formal announcement. Cyber Command has been a subcommand of US Strategic Command. The upgrade in Cyber Command's status has met with general approval. Many experts have long seen Cyber Command's current position, commanded by the Director NSA but operating as a subordinate organization of US Strategic Command, as leading to fragmented and imperfectly focused cyberspace operations. Its close ties to NSA bring with them, many observers think, the familiar difficulties that arise when intelligence and operational missions are commingled. Operators responsible for intelligence tend to find themselves looking on the sunny side. When intelligence is independently developed, it's thought that more realistic appraisals of the adversary's situation are likelier.

Dave Bittner: [00:04:59:15] Unified combatant commands are, according to the US Joint Staff, "commands with a broad continuing mission under a single commander and composed of significant assigned components of two or more Military Departments that is established and so designated by the President, through the Secretary of Defense, with the advice and assistance of the Chairman of the Joint Chiefs of Staff." They report directly to the Secretary of Defense, then to the President, making them in effect the top-level US military organizations. Six of the current UCCs are geographical, focused on a specific area of responsibility: Europe, Africa, North America, South America, Asia and the Pacific, and the Middle East. The remaining three are functional: transportation, special operations and strategic forces. Cyber Command will become the fourth functional command. The decision is also regarded as a step toward splitting Cyber Command leadership from the National Security Agency, the NSA, currently both organizations are led by the same officer, Admiral Michael Rogers. Separation would involve another Presidential decision.

Dave Bittner: [00:06:03:19] Ukraine's security services and central bank have warned that country to be on the alert for a fresh wave of cyberattacks, the financial sector is thought likely to be especially targeted.

Dave Bittner: [00:06:14:24] The Russia-connected Turla cyberespionage group is back and luring targets with phishbait that looks like a note from Germany's Federal Ministry for Economic Affairs and Energy inviting recipients to save the date for October's G20 meetings in Hamburg. At least some of the spoofed notes have been in English; their presentation is fairly convincing. Researchers at security company Proofpoint see novel features in the dropper being used: for one thing, it fingerprints the infected system itself. This was formerly done by the backdoor "KopiLuwak" it installed. Turla's been around for some time, since 2007 at least, and it's generally believed to be a threat actor run by Russian intelligence services. It's gone by a lot of names. If you're keeping score at home, you may know Turla as Waterbug, KRYPTON, or Venomous Bear. Turla itself is the name of one of the group's principal tools, other names for which include Snake and Uroburos (for Turla itself) and Epic Turla (also known as Wipbot or Tavdig).

Dave Bittner: [00:07:17:15] There are reports that GPS spoofing affected maritime traffic in the Black Sea briefly this summer. Observers fear this amounts to Russian demonstration of a new capability.

Dave Bittner: [00:07:29:07] Today the destroyer USS John S. McCain collided with a tanker east of Singapore. This is the fourth collision in the Western Pacific a US Navy ship has been involved with over the past year, which strikes observers as unusually high. Real Clear Defense reports speculation that ship navigation systems, probably GPS, may have been interfered with, presumably by Chinese operators.

Dave Bittner: [00:07:54:12] After the Charlottesville riot and homicide, industry remains uneasy about the role it should play in policing extremist content online. The Electronic Frontier Foundation warns tech executives that such content-policing is a slippery slope. The Foundation argues that speech ought generally to be free, and that companies who control vast stretches of cyberspace ought not to become censors. The dangers of unaccountable restriction, the EFF thinks, are great, and likely to be underappreciated. Effectively they join Cloudflare CEO Matthew Prince's call for some reflection on the matter even as they agree with Prince's own self-assessment that his decision to kick the neo-nazi Daily Stormer off Cloudflare's service was as dangerous as he felt it to be unavoidable. The companies themselves are in a tough spot. They have their own reputations to worry about, and US law, at least, would generally permit them to decline to provide services. The tech companies are in an even tougher spot in other jurisdictions. Several European countries, notably Germany, will hold third-party service providers liable under laws restricting hateful content.

Dave Bittner: [00:09:04:07] Investigations into last week's jihadist murders in Spain see unusually far-flung connections to Brussels, Wales, and Maryland. There may have been operational connections between the Spanish cell with money-laundering operations in the US, a Marylander has copped a plea to this one, and logistical support mounted through Wales. Both the US and Spanish ends of the connection are thought by investigators to have contemplated massacres in churches. Significant evidence concerning the Islamist cells has been gathered online.

Dave Bittner: [00:09:37:03] And finally, another initial coin offering, this one for the Enigma platform, has been hacked by crooks, they made off with some $500,000.

Dave Bittner: [00:09:51:20] Now I'd like to tell you about an upcoming Webinar from our sponsor Delta Risk. With threats to the healthcare industry at an all time high, IT and Information Security professionals in hospitals, health care provider firms and insurance firms have more concerns than ever about patient data and business continuity. In the 45 minute Webinar, "Preparing for cyber risks to health care operations. Be ready, not sorry", experts from Stanford Children's Health, Delta Risk and Huntzinger Management Group will discuss essential elements of how to respond to a cyber attack and properly prepare a business continuity plan. Save the date for August 23rd at one p.m. Eastern time, by visiting Delta Risk LLC, a Chertoff Group Company, is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting and reserve your seat for this interactive discussion. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:10:57:22] Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks, and he also heads up Unit 42, which is their threat intel team. Rick, welcome back. We wanted to talk about the RIG Exploit kit today and you will have seen a marked decline in the use of it.

Rick Howard: [00:11:13:12] These Exploit kits, they started to come onto the landscape around 2006, okay. Cyber adversaries began to automate the process of exploiting endpoints, so they didn't do it manually every time. So by 2010, it was fairly common for hackers to sell these collections of tools as a kit in underground markets. They are basically SaaS applications for cyber adversaries. You know, the cyber adversary compromises a watering hole website, this is a website that they know their victims like to read, and then then redirect a portion of the victim's traffic to these exploit kit SaaS servers. The SaaS application would then look at the victim's host configuration, determine the specific exploit to run to compromise the victim's machines. And so once compromised, the SaaS application would deliver the malware payload to the victim and so, common names we've seen over the last few years are Web Attacker, Black Hole, Angler, Neutrino and RIG. And, for example, Unit 42 has been tracking RIG for a while now in two specific adversary play books. One's called EI Test and the other one's called Pseudo-Darkleech, and I love these names, okay.

Rick Howard: [00:12:28:07] Now, sometime in the spring, both playbooks, okay the adversaries behind them, stopped using RIG to compromise victim networks. They stopped using that exploit kit. Unit 42 knows as that adversary playbooks use, they're used in other exploitation kits like, you know, Fiesta and Sweet Orange. They started to drop off too. And it appears that many cyber adversaries are turning away from exploit kits, towards spam, to compromise their victims end points. Now, it's impossible to know for sure why this is happening. It could be a number of things, alright. In May, Proofpoint said that it had been a year since they saw a new zero day vulnerability in an exploit kit. So maybe the price of zero days had made them prohibitive to use in common exploitation kits. I don't know. Also, the industry has gone after the exploit kit infrastructure in a big way, both Cisco and RSA have coordinated takedown operations this year. And let's get the browser developers from Google some credit. Chrome is by far the largest user base of any browser, about 47% compared to like Microsoft's 19%, and they have significantly upped their game in terms of browser security this past year or so. A combination of all those things, probably, is what attributed to this. Exploitation kits have not disappeared, by any means. They are still around. This is just an indicator that the landscape is changing and we should be paying attention to that.

Dave Bittner: [00:13:47:03] All right, good information as always. Rick Howard, thanks for joining us.

Rick Howard: [00:13:50:17] Thank you, sir.

Dave Bittner: [00:13:53:18] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit A reminder that if you're interested in threat intelligence, you should check out the Recorded Future podcast, where I am also the host. You can find out more about that at The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.